Blog Post

GD bbPress Toolbox 3.6.3 Pro – Security Release

GD bbPress Toolbox 3.6.3 Pro is a security release. It fixes Cross-Site Request Forgery (CSRF) issue that in very, very rare cases can lead to SQL injection attack. This is not a big security risk, but it is important to have all security related issues fixed.

This issue has been discovered in WordPress SEO by Yoast plugin few days ago, but there is no proof that any website is hacked using that security issue. And chances for that happening are very, very low because it can happen only if website administrator intentionally (while logged in) clicks on a link that is prepared for this type of exploit. So, this exploit can’t be used for mass hacking, it depends on administrator. This CSRF method uses sorting variables ‘order’ and ‘orderby’ received from URL to be used in SQL query. If not sanitized, they could be used to pass additional SQL queries. And to work, this SQL injection link must be created for a specific plugin, specific page in plugin admin settings, and attacked has to know which plugins you use, how these plugins operate to be able to tailor the URL for you. And on top of that attacker needs to convice you to click such link. So, very slim chance of this actually happening.

GD bbPress Toolbox Pro has 2 panels showing list of attachments and attachment errors. Both pages allow sorting for several columns. And, when building SQL query, plugin is using all proper checks and measures. But, there is no special check for order and orderby. With this new version plugin is sanitizing both variables by checking if the value is allowed, and if it is not what plugin expects, these values will be removed.

It is highly recommended that you update to this new 3.6.3 version as soon as possible because I believe that security issues need to be taken seriously and fixed as soon as possible. Your website is not in any danger as long as you do not blindly click links that look suspicions leading to you website admin side and coming from some third party source.

As usual, if you find any issues with this plugin, use the forums to report it, and include as much information as you can.

Purchase GD bbPress Toolbox Pro

You can find more information about the plugin on it’s page on Dev4Press website. You can buy license for this plugin here.

Official Website

GD bbPress Toolbox Pro has own website where you can check all plugin features in detail:


Please wait...
GD bbPress Toolbox Pro
Enhancing WordPress forums powered by bbPress

Expand bbPress powered forums with attachments upload, BBCodes support, signatures, widgets, quotes, toolbar menu, activity tracking, enhanced widgets, extra views...

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Grammarly - Number 1 Writing App
SiteGround - Managed WordPress Hosting